f83e92d35db4d16e6c578836b6c671cd163069b363c1b5b18805f54fdf7bfa8b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 11:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
Size

4.1MB
MD5

0fec9864031a1e968d8c6a82ddf01bc0
SHA1

4b7ecf0e9914aded89177ab8a6bc3c21683fc9fa
SHA256

f83e92d35db4d16e6c578836b6c671cd163069b363c1b5b18805f54fdf7bfa8b
SHA512

fe0098d350972aa3a80dd0213a43a34f3cce39fe204e6442f96786587dea702f7e668d1c0d53dfbeb694e5038342a9f828990f80e690a296275afc13b58a5f67
SSDEEP

98304:+R0pI/IQlUoMPdmpSpm4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm55n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	xdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRD\\xdobsys.exe"	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAI\\dobxec.exe"	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
2472	xdobsys.exe
2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2472	2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2472	2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2472	2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2472	2460	0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0fec9864031a1e968d8c6a82ddf01bc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\SysDrvRD\xdobsys.exe
  C:\SysDrvRD\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxAI\dobxec.exe

Filesize
4.1MB

MD5
c2ac0fc2305ee8d8c6e9d5851b532f02

SHA1
7127c74a54cf73f16ee51db42048730992cff43b

SHA256
f96194e36ee14f016bd0e3d24b37a0a2567919640a6adb03fa95755065f2a0e7

SHA512
87738b1fe6d0e8a940cf508d1a45a0057442aa732e011798145cefe45a946e241ca27396dbeb008a739e6c85c77ee9b5999a8b7cd72b98297b6600903e6b139a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
b18a0a7bd4488d7e0be032e0a47806ee

SHA1
2af37c63cd4de09ef648d919b318e26fa6ad18ad

SHA256
35d15b805a077d43a66aa123cabb8032818b9643a5e853ae357096235af374ec

SHA512
c1f46438b5fe2301db488718b65bd4b7273ffd20b157204b102c7cae6474942debc1f291e417730b0755e0f310838b413974fd52cf5aba85538248263d9e6dea

Download Submit
\SysDrvRD\xdobsys.exe

Filesize
4.1MB

MD5
179ce2772789b96db1d781114f48a0b5

SHA1
8b3722b11ac7eb24a7095b200bbc75461a0470f2

SHA256
7a3269a6cc72931d01868ae56e34d91c355ddfcc246c12cdb070c3a037dbdc3f

SHA512
94dc62b569f351699235291b3fbcf6c96cd42bbf9433f3fa7293d0f119ba34bbb545c35e8026e9e1dde8bac86026e19db9273ac30b0a184d0bc1109b7e48d4e0

Download Submit